Bug#775306: marked as done (pxz: CVE-2015-1200: race condition in setting permissions)

Tue, 27 Jan 2015 04:36:31 -0800 

Your message dated Tue, 27 Jan 2015 12:33:39 +0000
with message-id <[email protected]>
and subject line Bug#775306: fixed in pxz 4.999.99~beta3+git659fc9b-3
has caused the Debian Bug report #775306,
regarding pxz: CVE-2015-1200: race condition in setting permissions
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
775306: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775306
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: pxz
Version: 4.999.99~beta3+git659fc9b-2
Tags: security
pxz sets the mode of an output file to be the same as the one of an input file but does it only after compression is over. This leaves the output file with the wrong mode during all the time of the compression process. 

Illustration:

$ truncate -s 1G foo

$ chmod 600 foo

$ pxz foo &
[1] 9240

$ ls -l foo.xz
-rw-r--r-- 1 user user 0 Jan 14 00:33 foo.xz

$ wait %
[1]+  Done                    pxz foo

$ ls -l foo.xz
-rw------- 1 user user 161976 Jan 14 00:33 foo.xz
The issue is similar to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0296 . 

--
Alexander Cherepanov

--- End Message ---
--- Begin Message --- 
Source: pxz
Source-Version: 4.999.99~beta3+git659fc9b-3

We believe that the bug you reported is fixed in the latest version of
pxz, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Holger Levsen <[email protected]> (supplier of updated pxz package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 27 Jan 2015 12:34:37 +0100
Source: pxz
Binary: pxz
Architecture: source amd64
Version: 4.999.99~beta3+git659fc9b-3
Distribution: unstable
Urgency: medium
Maintainer: Holger Levsen <[email protected]>
Changed-By: Holger Levsen <[email protected]>
Description:
 pxz        - parallel LZMA compressor using liblzma
Closes: 775306
Changes:
 pxz (4.999.99~beta3+git659fc9b-3) unstable; urgency=medium
 .
   * CVE-2015-1200: Fix race condition in setting permissions. Thanks to
     Moritz Mühlenhoff for the patch. (Closes: #775306)
Checksums-Sha1:
 468f4f4416df623a14a82614a6d176a4228f26e1 1936 
pxz_4.999.99~beta3+git659fc9b-3.dsc
 30f7e3fc5f95269b8dcefbd031930af36c8ec57e 2772 
pxz_4.999.99~beta3+git659fc9b-3.debian.tar.xz
 cd5dc7783750e89c996c494d4ca448094df4e1ff 9524 
pxz_4.999.99~beta3+git659fc9b-3_amd64.deb
Checksums-Sha256:
 d8107b7e874fc4fab69b808c1c26765de56e8a7d29a2c076db613cb8afaea1b8 1936 
pxz_4.999.99~beta3+git659fc9b-3.dsc
 af5152dc2d63da17f41640ce47638155d793f687fd557e4851aa7760fd376dd2 2772 
pxz_4.999.99~beta3+git659fc9b-3.debian.tar.xz
 98b8588e9919ab8e9e425e44306683f553e3df122c7a66a77fd7c1daed15ddb9 9524 
pxz_4.999.99~beta3+git659fc9b-3_amd64.deb
Files:
 282d9dc02fab1f422c1b2c71292d3e87 1936 misc optional 
pxz_4.999.99~beta3+git659fc9b-3.dsc
 0c5b5a634fffeb182feb7c3bc73ba6cb 2772 misc optional 
pxz_4.999.99~beta3+git659fc9b-3.debian.tar.xz
 c954ead13db388d76715732910e3b464 9524 misc optional 
pxz_4.999.99~beta3+git659fc9b-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIVAwUBVMeEdgkauFYGmqocAQpEPA//RK/j+4CfCIhtR4aZ5yfHeSxxlogEXcD5
WHAlhai7UB7S1sUTrOsoOZeVbYDwH/Pmx3wC6wiuT3OzmRMOhNGhtkKJtOt5KMw/
NYA9GIEMhKDIpmneXJlwRHrsvH4LNc9T2oSinB7FEPseUlduuFixUz0Q9FrS4muT
Fjm4LOrisa5FCHAFzl0YD37Zz1XTsjIk3fmhdQ+QT3o90QjpmrVmCvdJFKhkA9AF
dP0yV2C7I0EQAuxmrq2oUFWWbly7KFY0wyVCxOumPEujSTeaLpof4qeHDQWcFvAy
Q+v5LGqMXWhl6BDCgR/zd2wfgx1YMmVpbVXVtY83yKOdh22tdFajgWlvPxD2WNnV
wwKZ5+S3lagXvqlLtVozxLxxJN6fdlOO+TfBm566eJhA+mEEYYoJock0gbBdbAuw
MvvSsB0WU1WsmBV2shXcJJ345w53+NU9aCSVEYCZiD7R7eEyOB6WUpIzYAO/L8yY
/XkpgyYL5sTo0exk2BAr+RLXfny30nQpDmNcdj4apXF/JPg09xz4mNnvCB7iovXw
+IYBveweQ95goc+HbWu9N1hh7EJ1ssorU+x+YUbRiPxoFIjtyBgHzzlYEM60SZlU
yskDZ5YQk2KWiKjriIj2DfZ7JRBlm47W/pHzaF8hBFsW2xXfGTVZ9uLrFMB/ShIr
qibWz0V0+Z4=
=XpPH
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to